Jump to content
Welcome to our new Citrix community!
  • 2

Citrix Products affected from log4j zero-day vulnerability (CVE-2021-44248)?

Bernd Laenge

Asked by Bernd Laenge,

Question

24 answers to this question

Recommended Posts

  • 0
Thingbaijam Lenin Singh 2 Newbie

Thingbaijam Lenin Singh 2

Posted
Posted

Keeping an eye >> Citrix is closely monitoring the recent vulnerability disclosure by Apache Software Foundation on December 10th, 2021 - CVE-2021-44228. 

Citrix has mobilized its Security and IT organizations to investigate the issue and immediately mitigate potential risks. Please find below the status of the products which are currently being investigated: 

Customers who use Citrix ADC or Citrix Gateway as MPX, VPX or SDX instances and who are also not using the WIonNS feature are not impacted by this issue. Citrix is continuing to investigate any potential impact on the WIonNS feature deployments. 

Citrix is also continuing to investigate any potential impact on CPX and BLX instances.  

Link to comment
  • 0
Eugene Beliaev Newbie

Eugene Beliaev

Posted
Posted

Add on ADC to protect vServer (bind to vserver or globaly as responder)

 

 

add policy patset patset_cve_2021_44228
bind policy patset patset_cve_2021_44228 ldap
bind policy patset patset_cve_2021_44228 http
bind policy patset patset_cve_2021_44228 https
bind policy patset patset_cve_2021_44228 ldaps
bind policy patset patset_cve_2021_44228 rmi
bind policy patset patset_cve_2021_44228 dns
bind policy patset patset_cve_2021_44228 nis
bind policy patset patset_cve_2021_44228 iiop
bind policy patset patset_cve_2021_44228 corba
bind policy patset patset_cve_2021_44228 nds
add responder policy mitigate_cve_2021_44228 q^HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR("${").BEFORE_STR("}").CONTAINS("${") || HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.SET_TEXT_MODE(IGNORECASE).STRIP_CHARS("${: }/+").AFTER_STR("jndi").CONTAINS_ANY("patset_cve_2021_44228") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR("${").BEFORE_STR("}").CONTAINS("${") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE. SET_TEXT_MODE(IGNORECASE).STRIP_CHARS("${: }/+").AFTER_STR("jndi").CONTAINS_ANY("patset_cve_2021_44228")^ DROP

Link to comment
  • 0
Paul Jacobsen1709160118 Newbie

Paul Jacobsen1709160118

Posted
Posted
On 12/14/2021 at 1:43 PM, Erwin de Beer1709152891 said:

After 4 days still no information about if XenMobile is vulnerable. This is very worrying ...

 

Yes, Citrix Endpoint Management (aka XenMobile) is affected by the log4j vulnerability.

If you have a firewall between the internet and your Citrix Endpoint Management nodes, block outgoing LDAP/LDAPS/DNS Reverse callback.

Link to comment
  • 0
Melissa Nelson Rookie

Melissa Nelson

Posted
Posted
6 hours ago, Paul Jacobsen1709160118 said:

 

Yes, Citrix Endpoint Management (aka XenMobile) is affected by the log4j vulnerability.

If you have a firewall between the internet and your Citrix Endpoint Management nodes, block outgoing LDAP/LDAPS/DNS Reverse callback.

Can your users still enroll devices with that block enabled? 

Link to comment
  • 0
Alex Coviello Newbie

Alex Coviello

Posted
Posted

Curious, if Citrix ADC is not affected:

Citrix ADC (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) 

Not impacted (all platforms) 

 

Why do we need to add this? 

 

What Customers Should Do

Citrix has released configurations that are designed to mitigate the risk of exploit of CVE-2021-44228. Citrix ADC Standard, Advanced or Premium edition customers may use responder policies for protection as shown below. Please bind the responder policy to the appropriate bind point (vserver or global). 

 

add policy patset patset_cve_2021_44228 bind policy patset patset_cve_2021_44228 ldap bind policy patset patset_cve_2021_44228 http bind policy patset patset_cve_2021_44228 https bind policy patset patset_cve_2021_44228 ldaps bind policy patset patset_cve_2021_44228 rmi bind policy patset patset_cve_2021_44228 dns add responder policy mitigate_exploit_cve_2021_44228 q^HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR("${").BEFORE_STR("}").CONTAINS("${") || HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.SET_TEXT_MODE(IGNORECASE).STRIP_CHARS("${: }/+").AFTER_STR("jndi").CONTAINS_ANY("patset_cve_2021_44228") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR("${").BEFORE_STR("}").CONTAINS("${") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE. SET_TEXT_MODE(IGNORECASE).STRIP_CHARS("${: }/+").AFTER_STR("jndi").CONTAINS_ANY("patset_cve_2021_44228")^ DROP

Link to comment
  • 0
Sabine Ludewig1709156713 Enthusiast

Sabine Ludewig1709156713

Posted
Posted
7 hours ago, Alex Coviello said:

Curious, if Citrix ADC is not affected:

Citrix ADC (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) 

Not impacted (all platforms) 

 

Why do we need to add this? 

 

What Customers Should Do

Citrix has released configurations that are designed to mitigate the risk of exploit of CVE-2021-44228. Citrix ADC Standard, Advanced or Premium edition customers may use responder policies for protection as shown below. Please bind the responder policy to the appropriate bind point (vserver or global). 

 

add policy patset patset_cve_2021_44228 bind policy patset patset_cve_2021_44228 ldap bind policy patset patset_cve_2021_44228 http bind policy patset patset_cve_2021_44228 https bind policy patset patset_cve_2021_44228 ldaps bind policy patset patset_cve_2021_44228 rmi bind policy patset patset_cve_2021_44228 dns add responder policy mitigate_exploit_cve_2021_44228 q^HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR("${").BEFORE_STR("}").CONTAINS("${") || HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.SET_TEXT_MODE(IGNORECASE).STRIP_CHARS("${: }/+").AFTER_STR("jndi").CONTAINS_ANY("patset_cve_2021_44228") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR("${").BEFORE_STR("}").CONTAINS("${") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE. SET_TEXT_MODE(IGNORECASE).STRIP_CHARS("${: }/+").AFTER_STR("jndi").CONTAINS_ANY("patset_cve_2021_44228")^ DROP

Wondering the same here. The blog they are referring to below this statement talks about Web Application Firewall, which we don't use.

Yet, my custoner ran a security scan and found the system vulnerable to Log4j.

In the same context Citrix advices us to implement Apache patche as they come available. Sorry Citrix, but it's YOUR job to provide us with a working solution and not have us compiling linux libraries without (sorry for the vent)

Link to comment
  • 0
Erwin de Beer1709152891 Rookie

Erwin de Beer1709152891

Posted
Posted
On 12/14/2021 at 1:43 PM, Erwin de Beer1709152891 said:

After 4 days still no information about if XenMobile is vulnerable. This is very worrying ...

 

I've called Citrix support. They let me know XenMobile is indeed affected by the bug and a patch is available for the 10.14 release: https://support.citrix.com/article/CTX335763

 

No word on how much we were exposed unfortunately. Also no mention of the vulnerability in the release notes.

Link to comment
  • 0
Erwin de Beer1709152891 Rookie

Erwin de Beer1709152891

Posted
Posted
1 hour ago, Andreas Schott said:

We have the answer from support that the patch (https://support.citrix.com/article/CTX335763) does not contain a fix for CVE-2021-44248.

 

They keep working on it.

 

Just asked support again and this is their response... 

Yes, the RP contains the mitigation steps, these are released yesterday after testing by our product team and the docs are in the process of being updated.
The tentative date is by tomorrow, but you could consider the mail from our end as a confirmation for the same
Please let me know if you have any further queries on this.

<name redacted>
Senior Technical Support Engineer
Citrix Endpoint Management & Content Collaboration Support
Citrix R & D India Private Limited


 

 

Link to comment
  • 0
Andreas Schott Rookie

Andreas Schott

Posted
Posted
31 minutes ago, Erwin de Beer1709152891 said:

 

Just asked support again and this is their response... 

Yes, the RP contains the mitigation steps, these are released yesterday after testing by our product team and the docs are in the process of being updated.
The tentative date is by tomorrow, but you could consider the mail from our end as a confirmation for the same
Please let me know if you have any further queries on this.

<name redacted>
Senior Technical Support Engineer
Citrix Endpoint Management & Content Collaboration Support
Citrix R & D India Private Limited


 

 

 

I asked support again and it was confirmed to me that RP contains mitigation steps. It's a security RP.

Link to comment
  • 0
Kurt Wagner1709157299 Rookie

Kurt Wagner1709157299

Posted
Posted
5 hours ago, Thomas Greszlig said:

Hi,

Ist there a way to check th XenMobile log? On the Netscaler I can se it in the httpaccess-vpn logs.

on XenMobile i find the logs but found nothing to CVE-2021-44228. Anyone know in which file i need to look at?

 

I too am interested in finding out which logs to check for evidence of an intrusion if there was indeed one.  Here is what support told me which is hardly inspiring confidence: "You could look in the support bundle: https://docs.citrix.com/en-us/xenmobile/server/monitor-support/support-bundles.html

But I do not know what you would need to look for, or if it would be included there".
 

Link to comment
  • 0
Thomas Greszlig Newbie

Thomas Greszlig

Posted
Posted

Hi,

I also has an open case by citrix. Only links how get normal logs files. So annoying. I asked the now the third time how to exactly detect an attack. On the NEtscaler i see it in the httpaccess-vpn logs. Something like that:jndi: ldap: //195.54 .....  . But at the XenMobile Server there is no log like that. I checked the whole hard disk. So is the XenMobile Server really atackable to this special way or is the server only use an attackable version of LOG4J? I dont see any hints that the XenMobile Server triedt to connect an server on the internet via LDAP. But I see incomming traffic with jndi: ldap: //195.54 ..... 

 

Link to comment
  • 0
Thomas Greszlig Newbie

Thomas Greszlig

Posted
Posted

Hi there,

I spoke to Citrix support in Germany -> XenMobile was using a vulnerable version of LOG4J. But with current attempts like ldap: //195.54 ..... via 443 to the XenMobile website, it is not possible to take over XenMobile (to get bash etc.). That also coincides with my findings. I see in the Logs of the Firewall incomming traffic with ldap: //195.54 ..... but no outgoing traffic from the XenMobile Server. I

n the new RPs is version 2.16.0 installed

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to question listing

© Cloud Software Group, Inc. All rights reserved.

×
×
  • Create New...